NGINX and the CVE-2014-6271 Bash Advisory

On September 24, 2014, a vulnerability was revealed in the Bash shell interpreter. The details are described in CVE-2014-6271. Note that there is a follow-up vulnerability (CVE-2014-7169) that has not been patched as of this writing.

This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system, we recommend that you upgrade the copy of bash on that system as soon as possible.

Please refer to your operating system vendor’s instructions. For your convenience, here are a few links:

NGINX Plus AMIs on AWS

The NGINX Plus Amazon Machine Images (AMIs) (Version 1.3) are built on Amazon Linux or Ubuntu, and suffer from this vulnerability. We’re building and testing updated AMIs, and in the interim you need to run the following commands to manually update the bash package on those AMIs:

For Amazon Linux AMIs:

$ sudo yum update bash

For Ubuntu AMIs:

$ sudo apt-get update
$ sudo apt-get install bash

Note that new Amazon Linux-based instances are automatically updated on startup.